Transatlantic Trade and Investment Partnership

By notice published on April 1, 2013 the Office of the United States Trade Representative (“USTR”) has requested comments on the Administration’s intention to enter into negotiations for a Transatlantic Trade and Investment Partnership (“TTIP”) agreement with the European Union.

The USTR’s Federal Register notice follows a March 20, 2013 letter to Congress and the Final Report of the U.S.-EU High Level Working Group (“HLWG”) on Jobs and Growth. The letter and HLWG Report indicate that the Administration intends to negotiate a broad agreement that covers a range of trade and investment issues. Although neither the Report nor the March letter explicitly discuss privacy or data protection, they mention issues that might nevertheless impact data protection. For example, the Report discusses “reducing costs stemming from regulatory differences in specific sectors, including consideration of approaches relating to regulatory harmonization, equivalence, or mutual recognition, where appropriate,” and the letter lists the goal of “[s]eek[ing] to include provisions that facilitate the movement of cross-border data flows.”

The Evolution of US and EU Privacy Regulation

In 1980, the Organization for Economic Co-operation and Development (“OECD”) released its Privacy Guidelines, widely regarded as among the most influential privacy frameworks in the world. The OECD Privacy Guidelines promote eight privacy principles: data collection limitation; data quality; purpose specification; use limitation; security safeguards; openness; individual participation; and accountability.

Notably, the origins of the OECD Privacy Guidelines may be found in a 1977 US report of the Privacy Protection Study Commission which explained that the principles were established by the US Congress and provided the “intellectual framework for the Privacy Act of 1974,” a law enacted with broad bipartisan support.

The US has recently affirmed its commitment to these foundational privacy principles. Last year, the Obama Administration released Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Economy. The report contains the Consumer Privacy Bill of Rights (CPBR), outlining following principles: individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability. The CPBR principles mirror the OECD guidelines.

In addition to the CBPR, the Administration report discusses several high-profile privacy issues, including online advertising, data brokers, and children’s privacy. The report encourages online advertising companies to “refrain from collecting, using, or disclosing personal data that may be used to make decisions regarding employment, credit, and insurance eligibility” and cites a “Do Not Track” mechanism as an example of a beneficial privacy-enhancing technology.

President Obama expressed his support for adoption of the principles articulated in the CPBR. He stated:

My Administration will work to advance these principles and work with Congress to put them into law. With this Consumer Privacy Bill of Rights, we offer to the world a dynamic model of how to offer strong privacy protection and enable ongoing innovation in new information technologies.

In the year since the CPBR’s publication, following the President’s statement, many executive agencies, including the Department of Commerce and the Department of State, have expressed their support for the CPBR and their intention to advocate for its adoption in international cooperative environments, such as the Working Party on Information Security and Privacy. Cameron Kerry, Commerce Department general counsel, applauded the CPBR for its “baseline privacy protections for those areas not covered today by sectoral regimes.”

Moreover, Secretary of State John Kerry has repeatedly stated his support for new laws to protect privacy. Just two years ago, then Senator Kerry and Senator McCain introduced the Commercial Privacy Bill of Rights Act of 2011, which would impose new rules on companies that gather personal data, including offering people access to data about them, or the ability to block the information from being used or distributed. Companies would have to seek permission before collecting and sharing sensitive religious, medical and financial data with outside entities.

In 2012, the European Commission proposed the “EU General Data Protection Regulation,” (GDPR) which has gained support from numerous US consumer organizations. US groups support the Regulation because it “establishes single, national data protection authorities in each [EU] member state,” “adopts several innovative approaches to privacy protection, such as privacy by design and privacy by default,” and “builds on the right to data deletion.”

And collaboratively, privacy stakeholders in both the US and EU support the Madrid Declaration. Issued in November 2009, the Madrid Declaration is an international “commitment to privacy protection” that “reaffirms international instruments for privacy protection, identifies new challenges, and call[s] for concrete actions.” Formally endorsed by hundreds of domestic and international civil society groups, privacy experts, and individuals, the Declaration promotes ten propositions concerning data protection. For example, it reaffirms support for Fair Information Practice global implementation, genuine Privacy Enhancing techniques and Privacy Impact Assessments, and “independent data protection authorities.” It calls for a moratorium on mass surveillance technology, including body scanners, facial recognition, and RFID tracking, “subject to a full and transparent evaluation by independent authorities and democratic debate.” And it urges countries to ratify Article 108 “as expeditiously as possible.

EPIC's Comments

Highly cognizant of the work being done on both sides of the Atlantic to develop strengthened national privacy laws, EPIC submitted comments to the USTR on May 10, 2013, urging the USTR not to include data privacy rules in the TTIP negotiations. EPIC believes that trade agreements are not the appropriate mechanism for determining international privacy standards, and thus the TTIP should exclude privacy and data protection entirely. To the extent that TTIP provisions impact cross-border data flows, they should allow governments to provide exceptions or limitations that strengthen the protection of their citizens’ privacy. Finally, draft texts should be made publicly available, and a mechanism should be created to ensure equal participation by consumer groups, privacy groups, and other members of civil society.

Convention

In lieu of attempting to incorporate privacy and data protections into the TTIP, EPIC recommended that the United States ratify the Council of Europe's “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.” Signed in Strasbourg, France on January 28, 1981, the Convention has the objective of securing in the territory of each nation for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him.

To this day, the Convention still remains the only binding international legal instrument with a worldwide scope of application in the field of data privacy, open to any country, including countries which are not Members of the Council of Europe. In addition, this Convention has withstood the test of time by being adaptive and fairly rigorous. At present, forty-one Member States of the Council of Europe have ratified the Convention, and two non-member countries are considering ratifying the Convention as well.

In its comments to the USTR, EPIC emphasized that the US Privacy Coalition (including EPIC) has launched a campaign to urge the US Government to support the Council of Europe Privacy Convention and has proposed a resolution for the U.S. Senate. Many countries around the world are discussing or have signed the Council of Europe Convention on Cybercrime. The Cybercrime Convention expanded law enforcement authority without oversight or accountability in spite of being opposed by many human rights organizations and NGOs around the world. Now, the Council of Europe Privacy Convention should have the support of all organizations interested in human rights and civil liberties.